Overview
The openid-connect plugin integrates API7 EE with external OpenID Connect
identity providers (Keycloak, Auth0, Okta, etc.). It supports the full
authorization code flow for browser-based applications, bearer token validation
for API clients, and token introspection or local JWKS verification.
When to Use
- Integrate with enterprise identity providers (Keycloak, Auth0, Okta, Azure AD)
- Browser-based SSO with authorization code flow
- API protection with bearer access tokens
- Centralized authentication across multiple routes
Plugin Configuration Reference (Route/Service)
Required Fields
| Field | Type | Required | Default | Description |
|---|
client_id | string | Yes | — | OAuth 2.0 client ID |
client_secret | string | Yes | — | OAuth 2.0 client secret (encrypted in the database) |
discovery | string | Yes | — | OIDC well-known discovery URL |
Authentication & Scopes
| Field | Type | Required | Default | Description |
|---|
scope | string | No | "openid" | Space-delimited OIDC scopes |
bearer_only | boolean | No | false | Require bearer access token only (no redirect) |
required_scopes | array | No | — | Scopes required in access token |
realm | string | No | "apisix" | Realm in WWW-Authenticate header |
URIs & Redirects
| Field | Type | Required | Default | Description |
|---|
redirect_uri | string | No | {route_uri}/.apisix/redirect | Redirect URI after auth |
logout_path | string | No | "/logout" | Path to trigger logout |
post_logout_redirect_uri | string | No | — | URL to redirect after logout |
unauth_action | string | No | "auth" | Action on unauth: "auth" (redirect), "deny" (401), "pass" (allow) |
Token Verification
| Field | Type | Required | Default | Description |
|---|
introspection_endpoint | string | No | — | Token introspection endpoint URL |
public_key | string | No | — | PEM public key for local JWT verification |
use_jwks | boolean | No | false | Use JWKS from discovery for local JWT verification |
token_signing_alg_values_expected | string | No | — | Expected JWT signing algorithm |
Session Management
| Field | Type | Required | Default | Description |
|---|
session.secret | string | Yes* | |